forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmondoo-gitlab-security.mql.yaml
65 lines (58 loc) · 5.01 KB
/
mondoo-gitlab-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
policies:
- uid: mondoo-gitlab-security
name: GitLab Security
version: 1.2.0
license: MPL-2.0
tags:
mondoo.com/category: security
mondoo.com/platform: gitlab,saas
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: "## Overview\n\nThe GitLab Security by Mondoo policy bundle provides guidance for establishing minimum recommended security and operational best practices for GitLab. This policy is early access.\n\n## Remote scan\n\nRemote scans use native transports in `cnspec` to provide on demand scan results without the need to install any agents, or integration. \n\nFor a complete list of native transports run: \n\n```bash\ncnspec scan --help\n``` \n\n### Prerequisites\n\nRemote scans of GitLab requires a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with access to the group.\n\n### Run a scan of a GitLab group\n\nOpen a terminal and configure an environment variable with your GitLab personal access token:\n\n```bash\nexport GITLAB_TOKEN=<your personal access token> \n```\n\nRun a remote scan of your GitLab group: \n\n```bash\ncnspec scan gitlab --group <group_name>\n``` \n \n## Join the community!\n\nOur goal is to build policies that are simple to deploy, accurate, and actionable. \n\nIf you have any suggestions on how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions."
groups:
- title: GitLab
filters: platform.name == "gitlab"
checks:
- uid: mondoo-gitlab-security-private-group
- uid: mondoo-gitlab-security-private-projects
- uid: mondoo-gitlab-security-require-two-factor
queries:
- uid: mondoo-gitlab-security-private-group
title: Ensure the group is private
mql: |
gitlab.group.visibility != "public"
docs:
desc: |
GitLab allows users with the Owner role to set a project's or group's visibility as:
- Public
- Internal
- Private
These visibility levels affect who can see the project in the public access directory (/public for your GitLab instance). For example, https://gitlab.com/public. You can control the visibility of individual features with project feature settings.
Private projects can only be cloned and viewed by project members (except for guests). They appear in the public access directory (`/public``) for project members only.
audit: "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitLab `cnspec shell gitlab --option token=${GITLAB_TOKEN} --option group=<group name>`\n3. Run the following query\n\n ```mql\n gitlab.group.visibility \n ```\n"
remediation: |
To make the visibility of a GitLab group private, see [Change group visibility](https://docs.gitlab.com/ee/user/public_access.html#change-group-visibility).
- uid: mondoo-gitlab-security-require-two-factor
title: Ensure two-factor authentication is required
mql: |
gitlab.group.requireTwoFactorAuthentication == true
docs:
desc: |
Two-factor authentication (2FA) provides an additional layer of security to your users' GitLab accounts. When enabled, users are prompted for a code generated by an application in addition to supplying their username and password to sign in.
audit: "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitLab `cnspec shell gitlab --option token=${GITLAB_TOKEN} --option group=<group name>`\n3. Run the following query\n\n ```mql\n gitlab.group.requireTwoFactorAuthentication \n ```\n"
remediation: "GitLab offers several options to configure 2FA for your users. To enable MFA in your GitLab, see [Enforce two-factor authentication](https://docs.gitlab.com/ee/security/two_factor_authentication.html) on the GitLab documentation site. \n"
- uid: mondoo-gitlab-security-private-projects
title: Ensure all projects are private
mql: gitlab.group.projects { visibility != "public" }
docs:
desc: |
GitLab allows users with the Owner role to set a project's or group's visibility as:
- Public
- Internal
- Private
These visibility levels affect who can see the project in the public access directory (/public for your GitLab instance). For example, https://gitlab.com/public. You can control the visibility of individual features with project feature settings.
Private projects can only be cloned and viewed by project members (except for guests). They appear in the public access directory (`/public``) for project members only.
audit: "__cnspec Shell__\n\n1. Open a Terminal.\n2. Connect cnspec shell to GitLab `cnspec shell gitlab --option token=${GITLAB_TOKEN} --option group=<group name>`\n3. Run the following query\n\n ```mql\n gitlab.group.visibility \n ```\n"
remediation: "To make the visibility of a GitLab project private, see [Change project visibility](https://docs.gitlab.com/ee/user/public_access.html#change-project-visibility). \n"